Property agency

Property agency

Purpose of this factsheet

The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.

These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.

This factsheet addresses the particular issues facing the property agency business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.

Key features of GDPR

The main areas for firms and individual professionals to address can be summarised as follows:

Transparency

Accountability

Processes and controls

Enforcement and fines

Data subject rights

Ongoing nature of obligations

Transparency

You must be clear with your clients, marketing prospects, sub-contractors and employees about:

What data you're going to collect and use

Why you need this data - the purposes for which you need to process the data

How you're going to process the data and in which countries will data be processed

Whether you need to transfer the data to third parties

You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).

Accountability

Demonstrate that you have a clear view of the data flows across your entire business.

Identify the lawful basis for processing data in each case. For example:

to fulfil contractual obligations

to satisfy a legal requirement

legitimate interests

consent

If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.

For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.

Processes and controls

Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.

Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.

Enforcement and fines

Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.

Data subject rights

You need to have processes in place to change or update data on request.

Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.

Ongoing nature of obligations

Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards. Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.

Related Property Management events

Related Property Management training

Case study: Property agency

Scenario:

Agency B handles sales and rentals through a network of offices in the UK and Spain and a satellite office in Dubai.

The Agency uses a number of third party tools and systems to process data, including online systems for Anti-Money Laundering (AML) and Know Your Client (KYC) checks, and tenant background checks on behalf of landlords.

Most of the systems and data are accessible by staff in all offices.

The systems are being upgraded and some are being migrated to cloud solutions.

The Agency follows the RICS Professional Statement on Conflicts of Interest and turns down work for potential tenants where it has previously acted for the relevant landlord.

Issues:

Data transfers between offices can happen even if the data/application is hosted in one office or location.

The terms of the contract with the third party providers of tools and services will set out their own approach to security and data protection issues, which may or may not have been negotiated by agency B.

Cloud services are routinely backed up at locations away from the main data centres (sometimes with large providers). The entire supply chain is not always visible to the end user client but its data (and that of its clients and marketing contacts) may be held and transferred throughout this supply chain.

The Professional Statement places a positive obligation on RICS professionals and firms to identify and manage Conflicts of Interest (as defined in the Professional Statement). They also impose duty to retain auditable records of any Informed Consents which are obtained.

GDPR points to note:

This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.

It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.

Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.

Review of data processing activities: Agency B should identify all the categories of personal data currently being processed for which it is the data controller and should also identify the purpose of the processing and the systems and locations in which it is held. This could include, for example: details from registration forms completed by prospective buyers and tenants, information about sellers and landlords and information about the company's own employees in the UK and Spanish offices. Some agencies operate as a network of franchises in which each office can be a separate legal entity, and each may be a data controller in its own right. In some cases, the agencies are part of a group structure(e.g. they all form part of the same ultimate corporate group) but the entities in the EU might be simply carrying out instructions of a Dubai HQ (in which case the operations in the UK and Spain might be processing data only), or there may be a complex set of arrangements whereby there are joint controllers or different entities are data controllers for different activities. It is important that Agency B works through each processing activity and determines who is making decisions so the data controller(s) is correctly identified.

In particular, where data is being shared with third parties: whether with financial advisers on site, solicitors or between different agencies, agency B will need to consider how this is managed, what basis it is relying on and how to ensure it has given appropriate notification to the data subjects.

AML checks may involve processing special category data, so the agency will have to take into account the additional controls imposed on processing these types of data.

Record of data processing activities: Agency B must create or update appropriate and compliant records of all the data processing activity identified in the first step for which it is the data controller.

Lawfulness of processing: In order to continue processing this data, agency B must identify the relevant legal ground in each case. For example, in relation to its sellers, the agency is likely to enter into a contract for the marketing of the property and the processing is likely justifiable in the performance of the contract. With buyers, there is unlikely to be a contract so the agency will have to rely on alternative grounds. In relation to landlords and tenants, the landlords might be determining every aspect of the relationship (from reference checks to contract) and so where they are processing data as a data controller (i.e. for their own compliance purposes), the agency might rely on having a legitimate interest in processing this data.

In many cases, the agency will collect and want to re-use data for different purposes. In these cases, it must consider the legal basis for each separate use. For example, data might be collected in the course of one tenancy arrangement, and the agency then wants to keep marketing different properties or services. It will have to ensure it has legitimate grounds for carrying out that marketing activity. If relying on consent, it will have to comply with the requirements for gathering valid consent.

Transparency: Agency B should review and, where appropriate, update all documentation relating to its processing activities. This will include fair processing notices on its website and as notified to prospective clients and buyers or tenants. It will also need to review its terms of business, contract terms with the vendors of the AML and KYC activities, background checks and other systems it uses.

Data transfers outside the European Economic Area (EEA): In relation to the transfers of personal data, the Agency will need to consider whether it has justification for the data being available to colleagues outside the EEA (i.e. colleagues in the Dubai office). If not, it may decide to mitigate this by implementing operational and technical segregation of systems (for example, by way of login restrictions, holding EU data on a different instance of the relevant systems/programs, ensuring staff who travel between offices cannot use their 'home' login to access EU data remotely from the Dubai office etc.).

The principle of data minimisation and data deletion under the GDPR can co-exist with requirements to retain personal data for a period of time (in some cases for a number of years) in order to satisfy professional codes of conduct and/or other legal obligations.

The Agency will need to establish what data is essential to be able to meet its obligation to manage conflicts of interest, for example: if the clients are all corporate entities, the conflict clearance tool need only check against company names and groups and details of the individual who instructed the agency need not be held in that system. Where the agency operates in the residential market, there will clearly be a greater justification for retaining personal data of individuals where these are the clients.

The length of time for which information is retained depends on the exact requirements of the Professional requirements: in relation to a current transaction, e.g. the Agency needs to check it is not acting for landlord and tenant, then there is a clear requirement to keep information until the conflict is resolved or the Agency decides it cannot act for one or other party. If, however, the agency historically acted for a tenant, and in order to satisfy its conflicts of interest requirements, it would need to be able to retrieve this information for a longer period in the future, then it would need to demonstrate that:

it had a legitimate interest in retaining and processing the data over a period of years for conflicts purposes

it had clearly notified the client at the time of the original instruction (or by way of later update if applicable) for example by way of its Fair Processing Notice, that it would be retaining certain data for these purposes

it would need to ensure this was consistent with its own data retention policy

there should be consideration of appropriate 'long stop' dates for review of whether continued retention of the data was required. For example, in relation to an assured shorthold tenancy agreement, the data of expiry of the lease might be an appropriate review point. For longer leases, an interim point (say, after three years) may be more consistent with the principles of the GDPR.

DLA Piper

DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com.

This publication is intended as a general overview and discussion of the subjects dealt with and does not create a lawyer-client relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA Piper will accept no responsibility for any actions taken or not taken on the basis of this publication.

This may qualify as “Lawyer Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.